ICO trails its GDPR guidance programme

What happened: The ICO has published details of the guidance it will be issuing to support businesses to get to grips with their new obligations under General Data Protection Regulation (“GDPR”) (see here). The ICO’s initial focus over the next six months will be familiarising businesses with the key principles of the new regulatory environment and specifically:

Publishing ICO guidance on the following key topics: an overview of the GDPR; individual’s rights; contracts; consent; and privacy notices. The guidance will build on the ICO’s document, “Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now” (see here) and will help highlight to businesses the differences between their current obligations under the Data Protection Act 1998 (“DPA”) and the new obligations that they need to prepare for under the GDPR.

Contributing to European level guidance, due to be published by the end of 2016, in line with the Article 29 Working Party’s 2016 action plan for the implementation of the GDPR (see here). This includes guidance on some of the completely new obligations for data controllers and data processors under the GDPR and the co-ordination of the guidance at a European level is intended to enhance consistency with them across member states. The guidance will cover the following topics: identifying an organisation’s main establishment and lead supervisory authority; the right of individual’s to require that their data is transferred between service providers (data portability); data protection officers which will be mandatory for public sector entities and businesses whose core business is the processing of “big data” or sensitive data; risky processing and data protection impact assessments; and relevant certifications to demonstrate compliance with the GDPR.

Considering and developing thinking on the following topics with a view to future ICO and European guidance: risk and significant legal effects; profiling; children’s data; documentation/records of processing activity; data controllers and data processors and international transfers.

The ICO will then look to map existing DPA guidance against the GDPR to establish what to prioritise and whether it can simply update existing ICO guidance or if it needs to draft new guidance. This is expected to lead to a more detailed guidance plan so that the ICO can update organisations and the public about what guidance will be available before as well as after the GDPR comes into force in May 2018. Alongside this the ICO may also look to design practical tools to support compliance. Finally, the ICO will write and finalise its GDPR guidance, referring out to European level guidance where relevant, and form a plan for updating the guidance over time as knowledge and experience of the GDPR increases.

Why this matters:

The new GDPR was published in the EU Official Journal on 4 May 2016 and now businesses have two years to prepare before it come into force on 25 May 2018. The GDPR will have a significant impact on businesses with more onerous compliance obligations in terms of increased scope, enhanced individual’s rights and greater transparency and accountability as well as increased risk in the form of augmented fines of up to €20million or 4% of worldwide turnover. The ICO has already urged businesses to get ready for the new law by engaging key stakeholders and putting new procedures and governance in place to manage and demonstrate compliance. It’s therefore helpful for businesses to know when to expect guidance from the ICO as they work out what changes to prioritise from a budgetary and operational perspective and how to implement them most effectively in a compliant way.